From owner-freebsd-questions@freebsd.org Wed Feb 24 13:53:40 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 76F9D55DC75 for ; Wed, 24 Feb 2021 13:53:40 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dly7S27ryz3J1J for ; Wed, 24 Feb 2021 13:53:40 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 373C2A7FD for ; Wed, 24 Feb 2021 13:53:40 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f175.google.com with SMTP id l132so893355qke.7 for ; Wed, 24 Feb 2021 05:53:40 -0800 (PST) X-Gm-Message-State: AOAM532+YEM2H0M+TEys3OxNa0eiDpl5g0gpBi/JfSL4IOrkF0VPPbBn yPXc0ZfMDy7ZNyxYrfbj0sdGawY/r6/2n4QQIKs= X-Google-Smtp-Source: ABdhPJzRDaviHK4btNAqTyevyNBYS564sgV8K/5yKmMpUyWWO1aUO1fEeIHO5MPYncilkP/7zJx+Scus/GmfYJL+xLo= X-Received: by 2002:a05:620a:b8a:: with SMTP id k10mr32914361qkh.120.1614174819849; Wed, 24 Feb 2021 05:53:39 -0800 (PST) MIME-Version: 1.0 References: <0d404f23-b248-b05a-d6e0-2aafcd80e609@netfence.it> In-Reply-To: <0d404f23-b248-b05a-d6e0-2aafcd80e609@netfence.it> From: Kyle Evans Date: Wed, 24 Feb 2021 07:53:27 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: SSL Certificates in base To: Andrea Venturoli Cc: FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 13:53:40 -0000 On Wed, Feb 24, 2021 at 2:58 AM Andrea Venturoli wrote: > > Hello again. > > Sorry if this a dumb question or FAQ: I tried, but failed to find any > official documentation on this. > > In the past, I've always installed security/ca_root_nss to let SSL work, > as there were no CA certificates in base. > 12.2 (and possibly older 12.x, I don't know) already provide several > certificates in /usr/share/certs/trusted. > 12.2 is indeed the first here, though 11.4 has the infrastructure for it. > How are we expected to deal with this? > Is security/ca_root_nss still needed/suggested? > Is it expected to be obsoleted (although easier to update)? > For most people, stuff 'just works'. If you need to add your own roots to the trust store, then security/ca_root_nss may (will?) be a problem. Too much stuff has a hard dependency on it, so I have a side branch to add a USES=caroot and remove that dependency on FreeBSD versions that can do so. > What's the correct procedure to add additional certificates? > I guess just dropping them in /usr/share/certs/trusted won't be enough... > The current model (which is, IMO, still a little wrong path-wise) is that you should add your own to /usr/local/share/certs then execute `certctl rehash`. The exact path is going to change and that one specifically will be phased out in favor of mirroring the base hierarchy as we should have done, but we'll make sure those changes are communicated properly. Thanks, Kyle Evans